Cisco has addressed a severe vulnerability in its IOS XE Software for Wireless LAN Controllers that allowed attackers to gain complete device control via a hardcoded JSON Web Token (JWT). This vulnerability, noted as CVE-2025-20188 with a CVSS score of 10.0, could be exploited through crafted HTTPS requests to the AP image download interface, particularly when the feature is enabled. Cisco advises immediate patching and provides tools to determine which versions are secure. The affected devices include various models of Catalyst 9800 controllers, while others remain unaffected.
The vulnerability in IOS XE Software for Wireless LAN Controllers enables attackers to remotely control devices due to a hardcoded JSON Web Token.
Exploiting this vulnerability can lead to complete device compromise through specially crafted HTTPS requests, allowing root access and command execution.
Collection
[
|
...
]